The DORA (Digital Operational Resilience Act) regulation represents a major step forward in the regulation of IT-related risks within the European Union. Adopted in December 2022, the regulation aims to strengthen the digital operational resilience of European financial entities in the face of cyber threats.
In this article, we examine DORA's key measures, its objectives and its impact on the financial sector.
1. Definition of the DORA regulation
The DORA (Digital Operational Resilience Act) regulation, introduced in September 2020, was adopted in December 2022 by the European Parliament and the Council. Its purpose is the establishment of uniform standards to strengthen the management of risks related to information technologies and the security of networks and information systems in the EU. It is part of the European Commission's strategy for digital finance, aimed at promoting innovation while guaranteeing financial stability and consumer protection.
The innovative regulation provides a detailed and comprehensive framework for strengthening the digital operational resilience of financial entities. It also includes the establishment of a direct monitoring mechanism for ICT (Information and Communication Technology) service providers considered critical at EU level. It requires financial entities to rapidly inform the supervisory authorities in the event of major ICT-related incidents.
Although it came into force on January 16, 2023, its effective application will begin in 2025, the deadline for implementation in all EU member states.
2. The digital operational resilience regulation: who is affected?
The DORA regulation primarily impacts companies in the European Union's financial sector:
- traditional organizations (credit institutions, investment firms)
- more recent organizations (payment organizations, e-money companies, asset management companies, insurance and reinsurance companies).
The regulation also covers ICT service providers considered critical to the EU financial services sector. Exemptions from DORA regulations are microenterprises and very small enterprises with fewer than 10 employees or sales of less than €2 million.
The main goal of DORA is to unify and extend existing standards and requirements, at both European and national level, to create a comprehensive and harmonized framework to ensure the continuity of financial activities in the face of cyber-attacks, and to strengthen the digital operational resilience of financial entities.
3. What are the 5 key steps of DORA?
The DORA regulation includes several key steps to reinforce digital operational resilience in the European Union's (EU) financial sector. Here are five important pillars of DORA:
1. Information and Communication Technology (ICT) risk management:
The DORA regulation requires management to take responsibility for ICT risk management, identify critical functions, and put in place a risk management framework based on international standards, to be reviewed annually.
This framework must include a digital resilience strategy, regular audits, and cybersecurity training for the management team. All company employees, including members of management, must receive cybersecurity training appropriate to their positions, in accordance with Article 13, point 6 of DORA regulations. It encourages the use of advanced technologies, rapid detection of irregular activities, data backup, and transparency in the event of ICT-related incidents.
2. Reporting ICT incidents:
This new regulation requires financial entities to improve their ability to collect, transmit and disseminate reports on information and communication technology (ICT) incidents. The directive establishes a harmonized detection and reporting system, requiring companies to submit initial, interim, and final reports in the event of major ICT incidents. These reports must enable the importance of the incident and its possible repercussions beyond national borders to be assessed.
European authorities will thus be able to issue instructions to limit the consequences as soon as the initial statement is received and will publish an annual report on ICT incidents.
3. Digital operational resilience tests:
Financial entities will be required to complete digital operational resilience and vulnerability tests at least once a year, carried out by independent internal or external parties. These tests are intended to assess the entities' ability to manage ICT incidents and identify system weaknesses, using a risk-based approach. Before deploying new services or upgrading existing ones linked to critical functions, vulnerability assessments are necessary to guarantee the operational resilience of IT systems.
4. Third-party risk management:
The DORA regulation extends existing obligations concerning the outsourcing of ICT services to third-party providers, compelling financial entities to manage the risks associated with these providers. They must assess contractual risks, terminate contracts with suppliers presenting cybersecurity risks, and produce an annual report on ICT agreements. DORA defines key principles for managing the risks associated with ICT providers, including registering, minimum contractual requirements, and a European monitoring framework for critical providers.
5. Sharing information and intelligence:
DORA encourages financial institutions to share information on cyber threats to strengthen digital resilience and reduce ICT-related risks. It authorizes financial entities to establish information-sharing arrangements, while guaranteeing the protection of personal data and requiring notification to the relevant authorities. These measures are designed to improve defensive capabilities and detection techniques against cyber threats.
4. How can our anonymizing solutions like DOT Anonymizer help to protect data in compliance with DORA regulations?
The DOT Anonymizer solution masks personal and identifying information, guaranteeing data confidentiality and protection. The solution is an essential element in complying with DORA regulations, ensuring the security of data in IT systems, as well as data shared between financial entities. This tool also helps mitigate the risks of data leakage associated with our growing dependence on technology and the increase in cyber threats.
DOT Extract, for its part, offers the option of copying only the necessary data from the production database, thus reducing anonymization and reloading time. With the emergence of regulations such as DORA (Digital Operational Resilience Regulations), some of our existing customers, such as SFIL, are considering integrating DOT Extract into their IT infrastructure. You can read their customer testimonial on this subject.
5. Conclusion
It is important for financial entities to consider the DORA regulation, as it sets decisive standards for reinforcing digital operational resilience in the EU financial sector.
Its application in 2025 constitutes a key step in guaranteeing the security and protection of consumer data.